CN109600258B - Industrial protocol message recording device and method - Google Patents

Industrial protocol message recording device and method Download PDF

Info

Publication number
CN109600258B
CN109600258B CN201811504723.XA CN201811504723A CN109600258B CN 109600258 B CN109600258 B CN 109600258B CN 201811504723 A CN201811504723 A CN 201811504723A CN 109600258 B CN109600258 B CN 109600258B
Authority
CN
China
Prior art keywords
message
industrial protocol
recording
protocol message
industrial
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811504723.XA
Other languages
Chinese (zh)
Other versions
CN109600258A (en
Inventor
陈亚宁
牛治绿
王红强
周壮
焦颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Insec Technology Beijing Co ltd
Original Assignee
Insec Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Insec Technology Beijing Co ltd filed Critical Insec Technology Beijing Co ltd
Priority to CN201811504723.XA priority Critical patent/CN109600258B/en
Publication of CN109600258A publication Critical patent/CN109600258A/en
Application granted granted Critical
Publication of CN109600258B publication Critical patent/CN109600258B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a device for recording industrial protocol messages, which are applied to an industrial control network system, wherein the device comprises the following steps: the message prerecording module is used for acquiring and recording an industrial protocol message from a communication interface of the industrial control network system; the message analysis module is used for analyzing the industrial protocol message to determine whether the industrial protocol message meets the message record triggering condition; the message recording module is used for at least storing the currently recorded industrial protocol message when the industrial protocol message is determined to accord with the message recording triggering condition; and the first skipping module is used for skipping to the message prerecording module when the industrial protocol message is determined not to accord with the message recording triggering condition. The embodiment of the invention has the beneficial effects that: the current potential safety or fault hazard can be determined by analyzing the industrial protocol message and comparing the message recording triggering conditions, so that the related industrial protocol message can be recorded in time, and the integrity of the recorded industrial protocol message is ensured.

Description

Industrial protocol message recording device and method
Technical Field
The invention relates to the technical field of industrial control, in particular to an industrial protocol message recording device and method.
Background
Industrial control systems have a large number of smart devices (e.g., PLCs, HMIs, operator workstations, etc.) that communicate using an industrial communication protocol (e.g., Modbus, S7) to implement automation.
When the industrial control system has a function abnormality or suffers from network attack and other problems, the communication messages transmitted in the industrial control system need to be recorded and analyzed so as to locate and solve the problems. When a problem occurs, the message is recorded, and due to the time lag, all messages in the problem occurrence process cannot be completely recorded, so that the whole problem occurrence process is not easy to completely trace and restore. If the messages are continuously recorded all the time, because the number of the messages is huge, the messages not only occupy a large amount of storage space, but also the messages related to the messages cannot be quickly found when the problems are analyzed. For example, according to the network traffic calculation of 100Mb/s, 750Mb of storage space is required for recording a message for 1 hour, and about 18GB of storage space is required for recording a message for one day. It is very difficult to analyze and locate problems in mass messages, which is not favorable for solving problems quickly.
Due to the lack of effective message recording means, when the industrial control system has abnormal functions or suffers from network attacks and other problems, the problems cannot be quickly positioned and solved, and the safe and stable operation of the industrial control system is influenced.
Disclosure of Invention
An embodiment of the present invention provides an apparatus and a method for recording an industrial protocol packet, which are used to solve at least one of the above technical problems.
In a first aspect, an embodiment of the present invention provides an industrial protocol packet recording device, which is applied to an industrial control network system, and the device includes:
the message prerecording module is used for acquiring and recording an industrial protocol message from a communication interface of the industrial control network system;
the message analysis module is used for analyzing the industrial protocol message to determine whether the industrial protocol message meets a message record triggering condition, wherein the message record triggering condition at least comprises an abnormal industrial protocol function code and/or an abnormal point address and/or an abnormal point value;
the message recording module is used for at least storing the currently recorded industrial protocol message when the industrial protocol message is determined to accord with the message recording triggering condition;
and the first skipping module is used for skipping to the message prerecording module when the industrial protocol message is determined not to accord with the message recording triggering condition.
In a second aspect, an embodiment of the present invention provides an industrial protocol packet recording method, which is applied to an industrial control network system, and the method includes:
s10, collecting and recording industrial protocol messages from the communication interface of the industrial control network system;
s20, analyzing the industrial protocol message to determine whether the industrial protocol message meets a message record triggering condition, wherein the message record triggering condition at least comprises an abnormal industrial protocol function code and/or an abnormal point address and/or an abnormal point value;
s30, if yes, at least storing the currently recorded industrial protocol message;
s40, if not, returning to the step S10.
In a third aspect, an embodiment of the present invention provides a storage medium, where one or more programs including execution instructions are stored, where the execution instructions can be read and executed by an electronic device (including but not limited to a computer, a server, or a network device, etc.) to perform any one of the above-described industrial protocol message recording methods of the present invention.
In a fourth aspect, an electronic device is provided, comprising: the system comprises at least one processor and a memory communicatively coupled to the at least one processor, wherein the memory stores instructions executable by the at least one processor, and the instructions are executable by the at least one processor to enable the at least one processor to perform any one of the industrial protocol message recording methods of the present invention described above.
In a fifth aspect, an embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program stored on a storage medium, and the computer program includes program instructions, and when the program instructions are executed by a computer, the computer is caused to execute any one of the above-mentioned industrial protocol message recording methods.
The embodiment of the invention has the beneficial effects that: the current potential safety or fault hazard can be determined by analyzing the industrial protocol message and comparing the preset message record triggering conditions comprising the abnormal industrial protocol function code and/or the abnormal point address and/or the abnormal point value, so that the related industrial protocol message can be recorded in time, and the integrity of the recorded industrial protocol message is ensured. The complete and reliable recorded data is provided for the problems of abnormal functions or network attacks suffered by the industrial control system and the like.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic block diagram of an embodiment of an industrial protocol message recording apparatus of the present invention;
FIG. 2 is a schematic block diagram of another embodiment of an industrial protocol message recording apparatus according to the present invention
FIG. 3 is a flowchart of an embodiment of an industrial protocol message recording method according to the present invention;
FIG. 4 is a flowchart of another embodiment of an industrial protocol message recording method according to the present invention;
FIG. 5 is a schematic block diagram of a message collection rule of an industrial protocol message recording device;
FIG. 6 is a flowchart of an embodiment of a packet collector in the present invention
Fig. 7 is a schematic diagram of a workflow of an embodiment of a message prerecording module in the present invention;
FIG. 8 is a flowchart of the operation of an embodiment of a message analysis module in the present invention;
FIG. 9 is a flowchart illustrating an embodiment of a message recording module according to the present invention;
FIG. 10 is a flow diagram of an embodiment of a message record management module in the present invention;
FIG. 11 is a flow chart of message record database information query, file acquisition, and deletion in the present invention;
fig. 12 is a schematic structural diagram of an embodiment of an electronic device according to the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
The invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
As used in this disclosure, "module," "device," "system," and the like are intended to refer to a computer-related entity, either hardware, a combination of hardware and software, or software in execution. In particular, for example, an element may be, but is not limited to being, a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. Also, an application or script running on a server, or a server, may be an element. One or more elements may be in a process and/or thread of execution and an element may be localized on one computer and/or distributed between two or more computers and may be operated by various computer-readable media. The elements may also communicate by way of local and/or remote processes based on a signal having one or more data packets, e.g., from a data packet interacting with another element in a local system, distributed system, and/or across a network in the internet with other systems by way of the signal.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The invention provides an industrial protocol message recording device and method based on condition triggering. The message recording method can record the message aiming at the whole industrial control system or specific important intelligent equipment, can set a series of trigger conditions, and records the message of the related equipment only when the trigger conditions are met. In order to obtain a complete message, the device caches a message with a preset duration in the memory all the time, and when message recording is triggered, the message is recorded together with the subsequent message after being merged. The recorded message is compressed and stored in the form of a file, which is called a message record file. Meanwhile, a message recording event database is established, event information triggering message recording each time and a corresponding message recording file path are stored in the database, and indexes are established according to message recording time, triggering conditions, relevant equipment and other information, so that the corresponding message recording file can be quickly positioned during problem analysis.
As shown in fig. 1, an embodiment of the present invention provides an industrial protocol packet recording apparatus 100, which is applied to an industrial control network system, where the industrial protocol packet recording apparatus 100 includes:
the message prerecording module 110 is configured to collect and record an industrial protocol message from a communication interface of the industrial control network system;
a message parsing module 120, configured to parse the industrial protocol message to determine whether the industrial protocol message meets a message record triggering condition, where the message record triggering condition includes an abnormal industrial protocol function code and/or an abnormal point address and/or an abnormal point value;
a message recording module 130, configured to, when it is determined that the industrial protocol message meets a message recording trigger condition, at least store the currently recorded industrial protocol message;
and the first skipping module 140 is configured to skip to the message prerecording module when it is determined that the industrial protocol message does not conform to the message recording trigger condition.
According to the embodiment of the invention, the current potential safety or fault hazard can be determined by analyzing the industrial protocol message and comparing the preset message record triggering conditions comprising the abnormal industrial protocol function code and/or the abnormal point address and/or the abnormal point value, so that the related industrial protocol message can be recorded in time, and the integrity of the recorded industrial protocol message is ensured. The complete and reliable recorded data is provided for the problems of abnormal functions or network attacks suffered by the industrial control system and the like.
As shown in fig. 2, in some embodiments, the apparatus 100 for recording an industrial protocol packet further includes:
a duration determining module 120' configured to determine whether a duration of the currently recorded industrial protocol packet exceeds a set threshold;
the message deleting module 130' is configured to delete a previously recorded part of the currently recorded industrial protocol messages in the currently recorded industrial protocol messages when it is determined that the duration of the currently recorded industrial protocol messages exceeds a set threshold;
for example, the threshold is set to 10s, and when the message pre-recording module 110 records the industrial protocol message from 1 st second to record the industrial protocol message for 10 seconds, a part of the previously recorded industrial protocol message is deleted (for example, the industrial protocol message recorded in 1 st second, or the industrial protocol message recorded in 2 nd second or 3 rd second, etc., which is not limited in this invention).
And the second skipping module 140' is used for skipping to the message prerecording module when the duration for recording the industrial protocol message currently does not exceed the set threshold.
In the embodiment of the invention, the storage file formed by the finally recorded and cached industrial protocol message can be ensured not to be too large by judging whether the time length of the currently recorded industrial protocol message exceeds the set threshold value in real time. Specifically, the inventor finds that any abnormal function or network attack suffered in an industrial control system has a certain duration, so that when recording related industrial protocol messages, long-time recording is not needed, and only the messages with a preset duration need to be recorded (the preset duration does not exceed a set threshold, and the set threshold can be determined according to the average duration of the abnormal function and the network attack counted historically), so that the integrity of the recorded messages can be ensured, and the overhead caused by message data storage can be minimized; on the other hand, the data volume of later query retrieval is reduced, and the efficiency of problem location is improved.
In some embodiments, the storing at least the currently recorded industrial protocol message comprises: and storing the currently recorded industrial protocol message and the industrial protocol message collected from the communication interface from the current time point to the preset time.
For example, the preset time may be 10s, and with reference to the set threshold value of 10s in the foregoing embodiment, the industrial protocol packets stored in this embodiment are 10s of industrial protocol packets already recorded before the current time point and 10s of industrial protocol packets continuously recorded after the current time point, and 20s of industrial protocol packets are recorded in total. In the embodiment of the invention, the currently recorded industrial protocol message is saved, and the subsequent industrial protocol message is continuously acquired through the corresponding communication interface, so that the integrity of the finally recorded industrial protocol message is ensured.
As shown in fig. 3, an embodiment of the present invention provides an industrial protocol packet recording method, which is applied to an industrial control network system, and the method includes:
s10, collecting and recording industrial protocol messages from the communication interface of the industrial control network system;
s20, analyzing the industrial protocol message to determine whether the industrial protocol message meets a message record triggering condition, wherein the message record triggering condition comprises an abnormal industrial protocol function code and/or an abnormal point address and/or an abnormal point value;
s30, if yes, at least storing the currently recorded industrial protocol message;
s40, if not, returning to the step S10.
According to the embodiment of the invention, the current potential safety or fault hazard can be determined by analyzing the industrial protocol message and comparing the preset message record triggering conditions comprising the abnormal industrial protocol function code and/or the abnormal point address and/or the abnormal point value, so that the related industrial protocol message can be recorded in time, and the integrity of the recorded industrial protocol message is ensured. The complete and reliable recorded data is provided for the problems of abnormal functions or network attacks suffered by the industrial control system and the like.
As shown in fig. 4, in some embodiments, the industrial protocol message record of the present invention further includes:
s20', judging whether the time length of the current recorded industrial protocol message exceeds a set threshold value;
s30', if yes, deleting the previously recorded part of industrial protocol messages in the currently recorded industrial protocol messages;
s40', if not, then return to step S10.
In some embodiments, the storing at least the currently recorded industrial protocol message comprises: and storing the currently recorded industrial protocol message and the industrial protocol message collected from the communication interface from the current time point to the preset time.
In some embodiments, after storing at least the currently recorded industrial protocol message, further comprising: generating message recording event information according to the content information of the currently recorded industrial protocol message, wherein the message recording event information comprises: the message records a file name and/or path information and/or a recording time and/or trigger conditions and/or device information.
It should be noted that for simplicity of explanation, the foregoing method embodiments are described as a series of acts or combination of acts, but those skilled in the art will appreciate that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention. In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The method for recording an industrial protocol message according to the embodiment of the present invention may be implemented by an industrial protocol message recording apparatus according to the embodiment of the present invention, and accordingly achieve the technical effect achieved by the apparatus for recording an industrial protocol message according to the embodiment of the present invention, and will not be described herein again. In the embodiment of the present invention, the relevant functional module may be implemented by a hardware processor (hardware processor).
In some embodiments, the industrial protocol message recording apparatus 100 of the present invention further includes a message collection module, which is composed of a message collection rule editor and a message collector. The message collecting rule editor takes the message identification information to be collected as a message collecting rule to be configured in the message collector.
As shown in fig. 5, the schematic block diagram of the message collection rule of the industrial protocol message recording device is shown, and includes a plurality of network ports, serial ports, and other communication interfaces, and different message collection rule lists are configured for different communication interfaces. The multiple message collection rules 0-n are in logical or relationship, that is, as long as any rule in the message collection rule list is matched, the matching is successful. The message identification information that different network protocols need to extract is different, and for the ethernet protocol, the message identification information includes: source equipment MAC address, source equipment IP address, source equipment port, destination equipment MAC address, destination equipment IP address, destination equipment port, transmission protocol and the like; for a serial port protocol, the message identification information includes: source device address identification, destination device address identification, and the like.
The message collection rules may include one or more of the above message identifications. When one message collection rule is configured with a plurality of message identifications, the plurality of message identifications are in a logical AND relationship, namely when all the message identifications configured by the message collection rule are matched, the message collection rule is successfully matched.
TABLE 1 example of rule configuration for Ethernet communications Collection
Figure BDA0001899148440000081
Table 1 ethernet communication collection rule configuration example collection rule 1 represents a message with collection source device MAC address of 68: F7:29: CE:3E: DF and IP address of 192.168.0.98. The 2 nd acquisition rule represents the message with the port of the acquisition source device being 1102 and the port of the acquisition destination device being 502. If a communication interface comprises the 1 st rule and the 2 nd rule at the same time, the message to be collected is collected as long as the message to be collected conforms to one of the collection rules.
Fig. 6 is a flowchart of an embodiment of a packet collector in the present invention. The method specifically comprises the following steps:
the message collector collects the message from the communication interface in the industrial control system network;
detecting whether a message acquisition rule list of a communication interface is empty;
if the number of the messages is null, all the collected messages in the industrial control system are forwarded to a message pre-recording module and a message analysis module;
if the message acquisition rule list of the communication interface is not empty, extracting message identification information;
and matching with each rule in the message acquisition rule list, wherein any matching rule is successful, the message is forwarded to the message pre-recording module and the message analysis module, and if all matching rules are unsuccessful, the message is discarded.
Fig. 7 is a schematic diagram of a workflow of an embodiment of a message pre-recording module according to the present invention. The method specifically comprises the following steps:
caching the communication implementation message in a memory;
detecting whether the cached message exceeds the caching duration, caching the message with the preset duration in a memory of the industrial protocol message recording device by a message pre-recording module, and caching a new communication message into the memory when the new communication message is received;
if the cached message exceeds the caching duration, deleting a part of previously cached messages in the currently cached message and ending; otherwise, whether the cached message exceeds the caching duration or not is continuously detected.
In some embodiments, the message analysis module consists of a trigger condition rule editor and a message analyzer.
The trigger condition rule editor defines the trigger condition rule according to the characteristic data of industrial protocol function code, point address, point value and the like, and stores the trigger condition rule in a trigger condition rule list for the message analyzer to use. The rules in the trigger condition rule list are in a logical or relationship, and as long as any rule is met, message recording is triggered and a corresponding message recording event is generated. The characteristic data in the trigger condition rule are in a logical AND relationship, and the message content must meet all the conditions in the trigger condition rule.
TABLE 2 examples of rules for trigger conditions
Serial number ID Feature 1 Feature 2 Characteristic N
1 Function code read-hold register
2 Function code write-hold register Dot address of 0 Value of<1000
The configuration of the Modbus protocol trigger condition rules is described in table 2. Rule 1, when the message function code is a read hold register message, it triggers the message record and generates the message record event. And the 2 nd rule shows that when the message function code is a write hold register, the write point address is 0, and the value is less than 1000, the message record is triggered, and a message record event is generated.
TABLE 3 event information examples
Figure BDA0001899148440000101
As shown in fig. 8, a work flow diagram of an embodiment of a message analysis module in the present invention includes:
acquiring a message;
judging whether the trigger condition list is empty or not;
if yes, not analyzing the message and ending;
if not, analyzing the message content, traversing the trigger condition rule list, specifically:
acquiring each trigger condition rule;
judging whether all the characteristic data in the rule are matched or not;
if not, judging whether all rules in the trigger condition rule list are traversed or not
If yes, ending;
if not, acquiring a trigger condition rule again and repeating the steps;
if yes, generating event information and forwarding the event to the message recording module.
In some embodiments, the message analyzer detects whether the trigger condition rule list is empty, and if so, does not perform message analysis. When the trigger condition rule list is not empty, the content of the message is analyzed, each rule in the trigger condition rule list is traversed, if the trigger condition rule is met, message recording event information is created according to the message content, and the event information is sent to the message recording module.
Fig. 9 is a flowchart illustrating an embodiment of a message recording module according to the present invention. The method specifically comprises the following steps:
acquiring the occurrence time of a message extraction event: the message recording module records event information according to the message generated by the message analysis module and extracts the time of the event;
extracting a history message with a certain duration from a message prerecording module;
simultaneously recording a real-time message after an event occurs;
after the message recording with the preset duration is finished, combining the historical message and the real-time message, and compressing the historical message and the real-time message to generate a message recording file;
and naming the message record file according to a preset naming rule and storing the file in a file system. After the message recording file is generated, the message recording module sends the file name, the path information and the event information to the message recording management module.
Table 4 message record content example
Message record ID File name Route of travel Event ID
7 eth1-1-Modbus-543216331.tar.gz /record/dev1 1
8 eth1-2-Modbus-543216333.tar.gz /record/dev1 5
Fig. 10 is a flowchart of a message record management module according to an embodiment of the present invention. The method specifically comprises the following steps:
the message recording management module stores the message recording file name, the path and the message recording event information generated by the message recording module into a database;
establishing indexes according to information such as message recording time, triggering conditions, relevant equipment and the like;
automatically detecting the available space of the file system, continuously managing the message recording file by the message recording management module, and detecting whether the available space of the file system reaches a preset threshold value;
if the information in the historical message record file and the message record database is up, the information in the historical message record file and the message record database is automatically deleted, and the storage space requirement of system operation is ensured.
As shown in fig. 11, a flow chart of message record database information query, file acquisition and deletion in the present invention is shown. The method specifically comprises the following steps:
receiving a query condition;
searching and inquiring file information and time information;
judging whether to download the acquired message;
if yes, returning the message recording file and ending;
if not, further judging whether to delete the message;
if not, ending;
if so, deleting the message record information and the time information in the database;
and deleting the message record file in the file system and ending.
The user can quickly retrieve the message record and the event information through the message recording time, the triggering condition and the related equipment information, and the operation of acquiring and deleting the message record file is supported.
In some embodiments, the present invention provides a non-transitory computer readable storage medium, in which one or more programs including executable instructions are stored, where the executable instructions can be read and executed by an electronic device (including but not limited to a computer, a server, or a network device, etc.) to perform any one of the above-described industrial protocol message recording methods of the present invention.
In some embodiments, the present invention further provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform any of the above-described industrial protocol message recording methods.
In some embodiments, an embodiment of the present invention further provides an electronic device, which includes: the system includes at least one processor, and a memory communicatively coupled to the at least one processor, wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform an industrial protocol messaging method.
In some embodiments, an embodiment of the present invention further provides a storage medium having a computer program stored thereon, where the program is executed by a processor, and the method for recording an industrial protocol message is provided.
Fig. 12 is a schematic diagram of a hardware structure of an electronic device that executes an industrial protocol message recording method according to another embodiment of the present application, and as shown in fig. 12, the electronic device includes:
one or more processors 1210 and a memory 1220, with one processor 1210 being an example in fig. 12.
The apparatus for performing the industrial protocol message recording method may further include: an input device 1230 and an output device 1240.
The processor 1210, memory 1220, input device 1230, and output device 1240 may be connected by a bus or other means, such as by a bus connection in fig. 12.
The memory 1220 is a non-volatile computer-readable storage medium, and can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the industrial protocol message recording method in the embodiment of the present application. The processor 1210 executes various functional applications and data processing of the server by running the nonvolatile software program, instructions and modules stored in the memory 1220, that is, the method for recording the industrial protocol message according to the embodiment of the method is implemented.
The memory 1220 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the industrial protocol message recording apparatus, and the like. Further, the memory 1220 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, the memory 1220 optionally includes memory located remotely from the processor 1210, and such remote memory may be coupled to the industrial protocol message recording device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 1230 may receive input numeric or character information and generate signals related to user settings and functional control of the industrial protocol message recording device. The output device 1240 may include a display device such as a display screen.
The one or more modules are stored in the memory 1220, and when executed by the one or more processors 1210, perform the industrial protocol message recording method in any of the method embodiments described above.
The product can execute the method provided by the embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to the methods provided in the embodiments of the present application.
The electronic device of the embodiments of the present application exists in various forms, including but not limited to:
(1) mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(4) And other electronic devices with data interaction functions.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a general hardware platform, and certainly can also be implemented by hardware. Based on such understanding, the above technical solutions substantially or contributing to the related art may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (8)

1. An industrial protocol message recording device is applied to an industrial control network system, and the device comprises:
the message prerecording module is used for acquiring and recording an industrial protocol message from a communication interface of the industrial control network system;
the message analysis module is used for analyzing the industrial protocol message to determine whether the industrial protocol message meets a message record triggering condition, wherein the message record triggering condition at least comprises an abnormal industrial protocol function code and/or an abnormal point address and/or an abnormal point value;
the message recording module is used for at least storing the currently recorded industrial protocol message when the industrial protocol message is determined to accord with the message recording triggering condition;
the first skipping module is used for skipping to the message prerecording module when the industrial protocol message is determined not to accord with the message recording triggering condition;
the time length judging module is used for judging whether the time length of the currently recorded industrial protocol message exceeds a set threshold value or not;
the message deleting module is used for deleting a part of previously recorded industrial protocol messages in the currently recorded industrial protocol messages when the time length for judging that the currently recorded industrial protocol messages exceeds the set threshold value;
and the second skipping module is used for skipping to the message prerecording module when the time length for recording the industrial protocol message currently does not exceed the set threshold value.
2. The apparatus of claim 1, wherein the storing at least a currently recorded industrial protocol message comprises: and storing the currently recorded industrial protocol message and the industrial protocol message collected from the communication interface from the current time point to the preset time.
3. The apparatus of claim 1, further comprising:
a message registration management module, configured to generate message recording event information according to content information of a currently recorded industrial protocol message after storing at least the currently recorded industrial protocol message, where the message recording event information includes: the message records a file name and/or path information and/or a recording time and/or trigger conditions and/or device information.
4. An industrial protocol message recording method is applied to an industrial control network system, and comprises the following steps:
s10, collecting and recording industrial protocol messages from the communication interface of the industrial control network system;
s20, analyzing the industrial protocol message to determine whether the industrial protocol message meets a message record triggering condition, wherein the message record triggering condition at least comprises an abnormal industrial protocol function code and/or an abnormal point address and/or an abnormal point value;
s30, if yes, at least storing the currently recorded industrial protocol message;
s40, if not, returning to the step S10;
s20', judging whether the time length of the current recorded industrial protocol message exceeds a set threshold value;
s30', if yes, deleting the previously recorded part of industrial protocol messages in the currently recorded industrial protocol messages;
s40', if not, then return to step S10.
5. The method of claim 4, wherein said storing at least a currently recorded industrial protocol message comprises: and storing the currently recorded industrial protocol message and the industrial protocol message collected from the communication interface from the current time point to the preset time.
6. The method of claim 4, wherein after said storing at least the currently recorded industrial protocol message further comprises:
generating message recording event information according to the content information of the currently recorded industrial protocol message, wherein the message recording event information comprises: the message records a file name and/or path information and/or a recording time and/or trigger conditions and/or device information.
7. An electronic device, comprising: at least one processor, and a memory communicatively coupled to the at least one processor, wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the steps of the method of any one of claims 4-6.
8. A storage medium on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of any one of claims 4 to 6.
CN201811504723.XA 2018-12-10 2018-12-10 Industrial protocol message recording device and method Active CN109600258B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811504723.XA CN109600258B (en) 2018-12-10 2018-12-10 Industrial protocol message recording device and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811504723.XA CN109600258B (en) 2018-12-10 2018-12-10 Industrial protocol message recording device and method

Publications (2)

Publication Number Publication Date
CN109600258A CN109600258A (en) 2019-04-09
CN109600258B true CN109600258B (en) 2022-02-22

Family

ID=65962342

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811504723.XA Active CN109600258B (en) 2018-12-10 2018-12-10 Industrial protocol message recording device and method

Country Status (1)

Country Link
CN (1) CN109600258B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110099058B (en) * 2019-05-06 2021-08-13 江苏亨通工控安全研究院有限公司 Modbus message detection method and device, electronic equipment and storage medium
CN111917686A (en) * 2019-05-08 2020-11-10 创升益世(东莞)智能自控有限公司 Data network communication protocol IPSCom applied to industrial Internet
CN110430187B (en) * 2019-08-01 2021-07-06 英赛克科技(北京)有限公司 Communication message security audit method, equipment and storage medium in industrial control system
CN110784482B (en) * 2019-11-04 2022-03-25 浙江国利信安科技有限公司 Message storage method and device of industrial audit system
CN111143306B (en) * 2019-12-17 2023-10-31 山东鲁软数字科技有限公司智慧能源分公司 Message optimizing storage method and system for intelligent station network division device
CN113676436B (en) * 2020-05-14 2022-12-20 北京广利核***工程有限公司 Method and network equipment for realizing hot switching of industrial control protocol analysis rules
CN112291214B (en) * 2020-10-19 2022-12-16 傲普(上海)新能源有限公司 Industrial message analysis method and system based on redis cache
CN112350912B (en) * 2020-10-29 2021-07-27 山东八五信息技术有限公司 Data acquisition method, system and device based on Modbus protocol
CN112559283A (en) * 2020-12-08 2021-03-26 中国联合网络通信集团有限公司 Signaling record processing method, device and equipment
CN114401147B (en) * 2022-01-20 2024-02-20 山西晟视汇智科技有限公司 New energy power station communication message comparison method and system based on abstract algorithm
CN115190191B (en) * 2022-09-13 2022-11-29 中电运行(北京)信息技术有限公司 Power grid industrial control system and control method based on protocol analysis

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101853196A (en) * 2010-04-21 2010-10-06 中兴通讯股份有限公司 Method and device recording exceptional data
CN103297298A (en) * 2013-06-27 2013-09-11 山东山大电力技术有限公司 Network storm real-time rapid detecting method used for intelligent substation
CN105871847A (en) * 2016-04-01 2016-08-17 国网江苏省电力公司电力科学研究院 Intelligent substation network abnormal flow detection method
CN107124397A (en) * 2017-03-29 2017-09-01 国网安徽省电力公司信息通信分公司 A kind of mobile interaction platform network bracing means and its reinforcement means
CN108322291A (en) * 2018-02-06 2018-07-24 北京和利时电机技术有限公司 A kind of multiple-axis servo operation data monitoring method based on universal serial bus
CN108418807A (en) * 2018-02-05 2018-08-17 浙江大学 A kind of industrial control system popular protocol is realized and monitoring analyzing platform

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101853196A (en) * 2010-04-21 2010-10-06 中兴通讯股份有限公司 Method and device recording exceptional data
CN103297298A (en) * 2013-06-27 2013-09-11 山东山大电力技术有限公司 Network storm real-time rapid detecting method used for intelligent substation
CN105871847A (en) * 2016-04-01 2016-08-17 国网江苏省电力公司电力科学研究院 Intelligent substation network abnormal flow detection method
CN107124397A (en) * 2017-03-29 2017-09-01 国网安徽省电力公司信息通信分公司 A kind of mobile interaction platform network bracing means and its reinforcement means
CN108418807A (en) * 2018-02-05 2018-08-17 浙江大学 A kind of industrial control system popular protocol is realized and monitoring analyzing platform
CN108322291A (en) * 2018-02-06 2018-07-24 北京和利时电机技术有限公司 A kind of multiple-axis servo operation data monitoring method based on universal serial bus

Also Published As

Publication number Publication date
CN109600258A (en) 2019-04-09

Similar Documents

Publication Publication Date Title
CN109600258B (en) Industrial protocol message recording device and method
CN108737333B (en) Data detection method and device
CN106921637B (en) Method and device for identifying application information in network flow
US9848004B2 (en) Methods and systems for internet protocol (IP) packet header collection and storage
CN109347827B (en) Method, device, equipment and storage medium for predicting network attack behavior
CN109271793B (en) Internet of things cloud platform equipment category identification method and system
US8762515B2 (en) Methods and systems for collection, tracking, and display of near real time multicast data
CN112631913B (en) Method, device, equipment and storage medium for monitoring operation faults of application program
CN102752288A (en) Method and device for identifying network access action
CN108900374B (en) Data processing method and device applied to DPI equipment
CN108052824B (en) Risk prevention and control method and device and electronic equipment
CN111585837B (en) Internet of things data link monitoring method and device, computer equipment and storage medium
CN111740868B (en) Alarm data processing method and device and storage medium
CN112463772B (en) Log processing method and device, log server and storage medium
CN109688094B (en) Suspicious IP configuration method, device, equipment and storage medium based on network security
CN113472858B (en) Buried point data processing method and device and electronic equipment
CN112527772A (en) Graph database auditing method and auditing equipment
US9645877B2 (en) Monitoring apparatus, monitoring method, and recording medium
CN110830416A (en) Network intrusion detection method and device
CN111209266B (en) Audit method and device based on Redis database and electronic equipment
CN114465783B (en) Method, system and storage medium for associating attack point with service message
CN111245880A (en) Behavior trajectory reconstruction-based user experience monitoring method and device
CN110896545B (en) Online charging roaming fault positioning method, related device and storage medium
CN113254313A (en) Monitoring index abnormality detection method and device, electronic equipment and storage medium
CN114117289A (en) Browser operation data acquisition method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Niu Zhilv

Inventor after: Jiao Ying

Inventor before: Chen Yaning

Inventor before: Niu Zhilv

Inventor before: Wang Hongqiang

Inventor before: Zhou Zhuang

Inventor before: Jiao Ying

CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: 100020 705, Unit 1, Building 1, Yard 1, Longyu Middle Street, Huilongguan Town, Changping District, Beijing

Patentee after: INSEC TECHNOLOGY (BEIJING) Co.,Ltd.

Address before: Room 315, unit 1, floor 3, No. 99, Yuexiu Road, Haidian District, Beijing 100096

Patentee before: INSEC TECHNOLOGY (BEIJING) Co.,Ltd.